Quote:German Cybersecurity Agency Warns of Security Flaw in Kaspersky Antivirus
Official patch already available since mid-April
May 13, 2019 09:37 GMT · By Bogdan Popa ·
Kaspersky has already released a patch in April

German cybersecurity agency BSI issued a warning concerning a security flaw in Kaspersky antivirus, recommending users to install the latest patches as soon as possible.

While the advisory (available in German here, so translation is needed) doesn’t include any details regarding possible cyberattacks based on the flaw, BSI warns that hackers only need to send a malicious email containing a crafted file to their targets and, in some cases, this file “doesn’t even need to be opened.”

The security flaw that BSI warns of is documented in CVE-2019-8285, and it was actually fixed by Kaspersky last month.

The issue allows for remote execution of arbitrary code on a vulnerable computer, and Kaspersky said only systems with antivirus databases released before April 4 were exposed.
"Patch already available for Kaspersky software"

The patch has already been released through the built-in update system of Kaspersky products, so if automatic updates are enabled, your device should be secure.

“Kaspersky Lab has fixed a security issue CVE-2019-8285 in its products that could potentially allow third-parties to remotely execute arbitrary code on a user's PC with system privileges. The security fix was deployed to Kaspersky Lab customers on 4th April, 2019 through a product update,” an advisory published by Kaspersky on May 8 reads.

Technically, all Kaspersky products with antivirus database are affected by the vulnerability. The vulnerability isn’t tied to the operating system version, so all Windows releases are impacted.

“This issue was classified as heap-based buffer overflow vulnerability. Memory corruption during JS file scan could lead to execution of arbitrary code on a user machine,” Kaspersky says.

In other words, the vulnerability can be exploited by simply having the Kaspersky security product to scan a crafted JS file, which can help an attacker achieve remote code execution and eventually take control of the target device.